Enterprise networks typically accommodate a multitude of applications and services such as e-commerce, enterprise resource planning, private Intranets, supply-chain extranets and new Voice over Internet Protocol (“VoIP”) and wireless infrastructure. In addition, increasing numbers of service providers and enterprises alike are consolidating their communications infrastructures into a single converged intelligent data network. Adding to the complexity, networks have come under an increasing number of malicious attacks that not only compromise the security of network resources, but also prevent access by legitimate users.
Over the years, proprietary network management systems (“NMSs”) have been developed to help service providers and enterprises manage their communications infrastructures, such as the NMS sold under the trademark “EpiCenter” by Extreme Networks, Inc., of Santa Clara, Calif., the assignee of the present application. For example, EpiCenter provides network management tools to facilitate the management of the connection points in a network, such as the switches, hubs, and routers, collectively referred to as switches, as well as the end points in the network, such as computer workstations, wireless access points (AP), VoIP telephones, and application servers.
One example of the type of network management task that is often facilitated by an NMS is the task of controlling access to network resources. In a typical scenario, the NMS operates in conjunction with an authentication server, such as the Remote Authentication Dial-In User Service (“RADIUS”) server, to provision a switch with the appropriate network resources based on the type of device and/or identity of the user that is attempting to gain access. Among other things, provisioning the switch with the appropriate network resources primarily involves deploying the proper configuration and policy data to the switch through which the device/user is connected to the network, and instructing the switch to configure the port in accordance with the deployed data.
In today's complex converged network environments that support both wired and wireless access to a variety of resources, including voice, video, and data, ensuring that the switch is properly provisioned can be burdensome. For example, in order to provision the switch with the correct network resources, quality of service, and security policy for successful voice operation, the switch must be instructed to configure a selected port to which a VoIP telephone is connected with the proper Link Layer Data Protocol (LLDP) parameters, Virtual Local Area Network (VLAN) name, port VLAN ID, power conservation mode, call server name, 802.1Q framing parameter, and Access Control List (ACL). Should the user/device subsequently access the network from a different location, the switch may need to be instructed to configure a different port, or, if the switch through which the user is connecting to the network changes, then the new switch may have to be separately provisioned.
Because there can be hundreds of switches in a network, each having numerous ports, provisioning them with the correct network resources is not only time-consuming, but also error-prone. Moreover, any given switch may use different LLDP parameters and/or other data values, and/or may need to be instructed differently, depending on whether the switch is a different model, or from a different vendor. In addition, should the type of end point device that is accessing the network change, such as the model and vendor of the VoIP telephone, the switch may again need to use different LLDP parameters and/or other data values. Moreover, once the user/device disconnects from the network, the previous switch port configuration needs to be restored in order to secure the network. The process starts all over again once the next device connects to the network, whether it is the same device or an altogether different device, such as a computer workstation.
In an effort to address some of these challenges, network architects of complex converged networks are turning to a new generation of intelligent switches equipped with operating systems that provide more advanced configuration and security capabilities than were previously available. For example, the switch operating system sold under the trademark “ExtremeXOS” by Extreme Networks, Inc., of Santa Clara, Calif., the assignee of the present application, provides Extreme's switches with advanced capabilities, including the ability to store configuration information that can be used to dynamically configure a port as needed in a non-disruptive manner.
Despite these advances, existing network management tools are inadequate to help network administrators to fully exploit the advanced configuration and security capabilities of today's intelligent switches. As a result, network administrators have avoided implementing ambitious and complex configurations that would ultimately help them to make their networks more robust and secure.